WhatsApp’s “View Once” feature, designed to enhance privacy by allowing users to send photos and videos that disappear after being opened once, has been found to have a critical flaw that attackers are actively exploiting.
The Zengo X Research Team discovered that the feature can be easily bypassed, allowing malicious actors to save and distribute “View Once” media without the sender’s knowledge.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
WhatsApp View Once Feature Exploited
“You can send photos, voice messages, and videos that disappear from a chat after the recipient has opened them once,” WhatsApp said.
The core issue lies in WhatsApp’s implementation of the “View Once” feature:
- “View Once” messages are sent to all of the receiver’s devices, including those not intended to display them, such as web applications that can be easily modified.
- The messages are technically the same as regular media messages, with only a “View Once” flag set. Attackers can simply change this flag to “false” to convert the media to a regular, downloadable format.
- The media URL does not require authentication to download the content as long as the attacker has the decryption key sent with the message.
- Some versions of “View Once” messages contain a low-quality preview that can be viewed without downloading the media.
- “View Once” media is not immediately deleted from WhatsApp’s servers after being downloaded, remaining accessible for up to two weeks.
“When we looked into the implementation details, we were very surprised to find that although “View once” is meant to be limited to platforms on which the app can control its displayed content and prevent other processes from abusing it, WhatsApp’s API server does not enforce it,” Zengo researchers said.
Zengo’s findings revealed that others discovered this flaw earlier this year and are actively exploiting it.
Attackers have developed modified WhatsApp Android apps and web extensions that automatically toggle the “View Once” flag, allowing them to save and distribute the media without the sender’s consent.
While analog methods of copying “View Once” media exist, this digital exploit makes the process significantly easier, faster, and more scalable. It also eliminates attribution and non-repudiation, as the copied media is identical to the original.
To address this issue, WhatsApp must implement a proper Digital Rights Management (DRM) solution that verifies hardware support for DRM.
Alternatively, a less robust solution would be to send “View Once” messages only to the primary mobile device, not to linked companion devices.
Until the flaw is fixed, users should be aware that “View Once” media may not be as private as they believe, and WhatsApp should either address the issue or discontinue the feature to avoid providing a false sense of privacy.
Download Free Incident Response Plan Template for Your Security Team – Free Download